FR2897489A1 - AUTHENTICATION WITH CONFIDENCE OF A USER BY A SERVER - Google Patents

Abstract

The invention relates to a method for authenticating a user by a server, accessed via the Internet. This method comprises: a first step of recognition by the user of the server and a second step of authentication of the user by the server. The method involves a password provided by the user; the user is not forced to use a particular device other than a network connection terminal.

Description

AUTHENTICATION WITH CONFIDENCE OF A USER BY A SERVER

  The purpose of the present description is, firstly, to analyze the problem of authentication of a user by a server accessed via the Internet and, secondly, to propose an innovative solution that can respond to this problem. problematic. I) The problem posed Authentication of a user through the Internet is not a new problem and multiple authentication mechanisms are already used, commonly or not, to try to meet this need. . The most basic mechanism and among the least secure and yet the most used is the one where the server asks the user to identify himself by an identifier, ID, and to authenticate by providing a password, PW . This mechanism is very often supplemented by the prior implementation of an SSL or TLS session between the user station and the server. This solution is supposed, on the one hand, to allow the user to authenticate the server and, on the other hand, to set up a secure communication channel between the user and the server. In this way, the user and the server will be able to confidently exchange confidential information during the session, starting with the communication by the user of his identifier (ID) and password (PW). authentication. Of course, the only use of a password to authenticate a user remains a priori a fragile solution since the mere compromise of the password will allow a third party to impersonate the user in question. This is a simple factor authentication mechanism, the password stored by the user. There are multi-factor authentication mechanisms, other authentication factors generally complementing the password: - something that the user owns, such as a smart card - a feature unique to the user. user, specifically a biometric factor, such as its fingerprint. But these mechanisms are almost always expensive to implement and may be excessively burdensome for users, nomadic or not. Therefore, we limit ourselves to the search for solutions that do not require the implementation of any additional hardware to that constituted by a basic user station (for example a Windows PC). The ideal solution sought is the best possible compromise between security and ergonomics. Therefore, the scope of this application is removed from the software certificate track (without hardware support). II) Critical analysis of the state of the art The following analyzes the risks of compromising a password intended for the authentication on the Internet of a user: on the server, without addressing the question its integrity (supposedly mastered), - by systematic testing of plausible passwords (dictionary attack), - on the network, - on the user station. The server must obviously be able to verify that the user knows the PW. The simplest solution is therefore for the server to be communicated the PW entered by the user and to compare it to the PW known to the server. In this context, an attack is to obtain a copy of the password file. The server will of course be protected against this type of attack but it is difficult to exclude it altogether and that is why a better solution is to not keep on the server the PW but only information to verify that the user has entered the correct PW. To avoid dictionary attacks, you must: - make systematic password tests impossible - or at least make such tests impractical. If the only way to test a PW is to try to access the server, it is clear that a first parry is to limit the number of attempts that will accept the server before blocking the user account in question. The same must be done for the same tested PW against too many user accounts. If, on the other hand, the risk exists that a third party could obtain information computed from the PW and other unprotected information, then the dictionary attack is possible without having to involve the server. The only solution to defeat this type of attack is then to have imposed a password strong enough that the dictionary attack can not succeed before a sufficiently long delay. But a user can never memorize such a password and in fact, it is then necessary to protect at least one other information used in the calculation of the disclosed information (for example a randomly sufficient hazard).

  To avoid the compromise of PW on the network, a first solution is to use a secure communication channel, the information exchanged are encrypted. Hence the advantage of using an SSL session that is supported as standard by all serious browsers.

  But the use of SSL does not eliminate all risks, including the risk of being in communication with a fake site posing as the legitimate site. The weaknesses of ID / PW authentication are analyzed in an SSL session: These weaknesses come mainly from a too lax management of the browsers of the market. The situation is gradually improving as the main browsers on the market evolve, starting with Microsoft's Internet Explorer and Firefox from the Mozilla Foundation.

  In fact, the user will rely on the indications provided by the browser used to accept or not to enter his PW. In other words, a browser is a "trusted application" since it is the browser that implements the SSL protocol on behalf of the user.

  But the vigilance of the user can too easily be deceived: -the user will not necessarily see that he misses the lock that symbolizes the existence of an SSL session, - he does not always see that it n is not on the good server site, - it does not generally check the server certificate and it rarely has the competence to know if a certificate is valid or not, - the browser in principle alerts the user if the certificate was not issued by a trusted Certificate Authority (CA) but it does not block, the user often responding mechanically positively to the question asked whether or not he trusts this CA, and the non-revocation of the certificate is rarely verified, - finally, a CA is considered to be trusted if it has been so declared in advance, what a user could do without suspecting the scope of this statement or worse, that a third party having had access to the post used could have done without the knowledge of the legitimate user. We recall that we are interested in all types of users including individuals and not only users in a professional capacity from their office. The 20 individuals are generally administrators of their user station and they have by definition all the rights of administration without necessarily making a prudent use, not counting their children, still less cautious, which constitutes obviously a factor of aggravation of risks. Finally, there remains the risk of compromising the password on the user station. We can identify four components to this risk: - listening to the input of the PW by a keylogger or other spyware (local spies), 30 -interception of the data exchanged scripts with the server, just before their SSL encryption, which the PW or data from which the PW can be derived, - the user's unknowing use of an SSL session after successful authentication of the user, 10 15 - the compromise of an application of trust the example of the browser that could be modified to disclose the PW, or substituted by a spyware. There are anti-spyware software solutions but as for anti-virus and firewall solutions - their implementation is left to the initiative of users, - the software in question is not always free, - they are not necessarily up to date, - and they are not always effective against all emerging threats. In summary, it can be seen that the risks of compromising passwords are only rarely and imperfectly countered by measures that sometimes remain to be imagined and developed: - keylogging and other forms of spyware on the user station, - passive phishing via fake sites, 20 - active phishing by intermediation via fake sites or by SSL session borrowing on the user station.

  25 III) Proposed solution The question is how to authenticate a user by password by seriously limiting the risk of compromise of this password. The analysis shows that one of the main risks is that the user may end up freely disclosing his password in malicious hands that have managed to cheat his trust. The question therefore becomes how to enable a user to recognize the legitimate server from whom he can then authenticate with confidence.

  The solution according to the invention responds to this main risk as well as to the other risks identified. First of all, the false good idea of recognizing the legitimate server should be discarded by presenting the user with an agreed sign of recognition (sentence or image). It is indeed impossible to present such a sign of recognition to the user without a spyware can not on this occasion take knowledge of this secret. It must at least 10 show the sign of recognition and then it is at least possible for a spyware to make at that time a screenshot. The secret that is supposed to be the sign of recognition is therefore compromised, without the user being able to suspect it. At a future access, it then becomes possible to use the recognition sign to pretend to be the legitimate server and the user will confidently enter his PW which is then in turn compromised. It has already been pointed out that browsers are "trusted applications". In fact, it seems clear that the solution necessarily involves the use of such a trusted application. We can choose to wait for browser editors to solve the problem of authentication with confidence or to adopt a more voluntarist position: - to imagine and design a trusted application temporarily reinforcing current browsers - hope that the publishers The browsers adopt the solution according to the invention and end up integrating it directly into the browsers. While waiting for the integration of the trust functions directly in the browsers, the transient solution passes by the definition of an extension to the browser (of course, its implementation will depend on the target browser but our purpose here is to describe the functions, not the implementation). According to the invention, a solution similar to the PwdHash technique developed by Stanford University is used. It is an extension that reinforces the browser in its dimension of trust relative to user authentication. It is recalled that Pwdhash is an extension that replaces the PW entered by the user with the haste (hash function) of the PW and the server's domain name as observed by the user station. Therefore, if the user is a victim of a fake site, it does not disclose: - neither its PW -ni even reusable information by the fake site 15 vis-à-vis the legitimate site. This solution has great merit but does not completely address the problem. In fact, this solution remains partial but above all it is in the hands of each user who wishes to protect himself against the risks of compromise of his PW; the solution remains completely transparent with respect to the servers. But the problem is in reality almost opposite: it is the server to protect the private data it contains and in case of online orders, it is still the server that needs to verify that the order emanates good of his client. The customer will appreciate all the more services rendered by the server that it is able to protect against these concerns of identity theft. That said, it is obvious that no security is possible in case of unresponsive behavior of the 30 users. But it is up to the server to explain to its users what is expected of them and without assigning them responsibilities out of reach or unreasonable. The solution sought does not need to be transparent with respect to the servers. However, it is nevertheless desirable to limit the impacts on the server whose access security is to be enhanced; hence the idea of an impact limited to the authentication function leaving unchanged the actual processing of the server. Pwdhash still removes the idea of an explicit and voluntary activation of the extension of trust by the user. Typing a function key ("F2" for example) signals to the trust extension that an authentication sequence is requested for the browser window that has the focus.

  The extension then opens a new window, "popup", dedicated to the authentication process with confidence. A bit of redundancy does not hurt security and the extension starts by asking the user for the name of the domain he wants to access.

  A priori, it is redundant information since the user has already visited the site he intends to access, using the mechanisms of his browser, including: - the entry of the URL, or directly from the address IP, - the selection of a favorite, - or by clicking on a link. But these mechanisms do not guarantee that the user has arrived on the site that he believes. The entry of the domain name (for example that of its Online Bank "lcl.fr") introduces a redundancy that allows controls with the data of the site actually accessed: -existence of an SSL session, - correspondence of the server certificate accessed with the domain name entered, - validity of the certificate in question. The trust extension carries out these checks without the usual laxity of the browsers: - the list of root CAs will not be modifiable by the user (it will be up to the server to adapt to it), - an expired or revoked certificate will not be able to be admitted (we do not even ask the question to the user). It is only after these checks that the user will be asked to enter his ID and PW, which he can then do with confidence in the popup of the extension. The extension includes a function to prevent keyloggers and other spyware to listen to input, including the PW. Various solutions exist to achieve this anti-keylogger function with nevertheless varying efficiencies depending on the solutions. The user will also know that the entry of his PW is authorized only in this precise sequence: - access to the realized server 15 - keystroke of the selected function key - opening of a popup - entry of the domain name - entry of the ID and the PW. Note that it may be wise to display between the entry of the ID and that of the PW, a greeting from the server type "Hello Mr. Ulrik BERGSTEN, your last access date such time such day". This is not critical but can only contribute to an increased vigilance of the user for the crucial input of his PW. 25 Always inspired by Pwdhash, the communication with the server is done via the initial window and thus via the scripts transmitted by the server. But since the man-machine interface is located in the popup of the trusted extension, the fields of these scripts do not have to be viewed. These fields are read by the extension for the information transmitted by the server for the trust extension and are informed by the trust extension for their communication to the server (the "post" being also triggered by the server). extension of trust).

  A spyware will be able to observe these fields and that is why, it is advisable to exchange in this way only non-secret data. It must be remembered that even if the SSL protocol is well implemented, it is a data transport level protocol and not an application level (encryption of the exchanged data only occurs after application sending by the "post" and we have the same problem in reception). Moreover, it has already been pointed out that the PW itself must not be communicated to the server in order to limit the possibilities of attacks on the server. We see here that it is necessary to implement an authentication in zero knowledge (or null disclosure). The SRP solution (version 6a) from Stanford University is particularly well suited to this part of our problem.

  20 25 30 So here is essentially the nature of the exchanges between the trust extension and the server, after confirming that we are in contact with the legitimate server: Server trust extension

  Entry ID Transmission ID H> Preparation Greeting (ID) Search s and v (ID) Random draw b Calculation B (b, v) Greeting message F Greeting message + s + B PW entry Random draw a Calculation A (a) Calculation MK1 (a, B, s, PW) Calculation AUT1 (A, B, MK1) Transmission A + AUT1 H> Calculation MK2 (A, b, s, v) Calculation AUT2 (A, B, MK2) Access control OK (if AUT1 == AUT2)

25 Some explanations:

  v is the known checker of the server and corresponding to the PW of the user identified by ID, 30 - s is a salt chosen when calculating v from the PW, that is to say a number chosen at initialization of the count, - A is calculated from a in such a way that the knowledge of A does not make it possible to find a, 20 - B is calculated from b but also from A and v, always from such way that the knowledge of B does not allow to find b (nor v), - MK is a key calculated in two different ways, on the one hand on the side of the MK1 trust extension and on the other hand on the MK2 server side ; if the PW used by the trust extension corresponds to the verifier v used on the server side then MK1 == MK2, - AUT is the authenticator allowing the server to recognize the user; it is calculated on both sides from respectively MK1 and MK2 and if MK1 == MK2 then AUT1 == AUT2.

  For more details, visit the site "srp.stanford.edu".

  The information exchanged is ultimately the following:

  20 - ID - Greeting + s + B - A + AUT1.

  The possible interception of these data reveals nothing really secret, does not allow to deduce the secrets strictly speaking (a, b, v, MK or PW) and are not reusable for a new access to the server. Once the server has recognized the user in this way, it only has to open the access to the user via the initial window (sending this data allows the trust extension of find that her role is over and she can close the popup). 10 35 IV) Possible extensions The basic solution can be extended and in particular the following: - prevent the borrowing by a parasite from a validly open session, - validate transactions online, - strengthen the authentication by a second biometric order factor. Extension to resist pests

  Once the server has recognized the user, it is sufficient, in this variant, to continue to rely on the extension of trust until the closure of access to the server. The trust extension intercepts each post emanating from the window that has been authenticated to add a seal to the transmitted data. This seal could typically be the hash of MK1 and the application data hash, the trust extension having kept in memory the value of MK1. The server knows if the seal is required or not; this can also be his choice, either for all 25 requests from the user or for those where he has requested. The server will also have kept in memory the value of MK2 so that it can check if necessary the actual presence of a seal and its validity. In this way, any parasite grafted to the browser will not be able to borrow the open session to access the server in parallel in the name of the user but without his knowledge. 10 35 Extension to validate online transactions

  The server wants the user to formally validate a transaction by re-entering his PW based on the transaction data; this being done online through a validly open session. For this purpose, the server sends the text containing the data of the transaction to be validated with a validation request flag for the extension of trust.

  Given this indicator, the trust extension opens a popup again but it is not necessary to restart the entire authentication process. The trust extension displays in the popup the text of the data of the transaction to be validated and asks the user to validate the transaction by re-entering his PW. The trust extension has kept in memory the data used during the authentication process and in particular the values of ID, s and MK1 but not the too sensitive PW. This allows him to calculate the verifier to which the ID / PW pair corresponds (from ID, s and PW). From there, the trust extension calculates SE1 as the hash of v, of MK1 and the hash of the data text of the transaction to be validated. The data SE1 is then returned to the server. The server independently calculates SE2 in the same way. The transaction will be considered valid if SE1 SE2. This indeed shows without risk of disclosure of 30 secrets that: - the validated text is the same as the text to be validated, the entered PW is the correct one. Note that it is important to involve v because otherwise the server could not verify that the newly entered PW is the correct one. Also note that it is the use of MK1 that prevents the disclosure of secrets (PW or v). Extension with Two-Factor Authentication Despite all the precautions taken, one can never quite exclude the compromise of the PW, especially by compromising the extension of trust or simply by negligence of the user. The PW constitutes a first authentication factor 10 and the idea of this variant is to add a second authentication factor. We have stated that we are looking for authentication solutions that do not require the use of any additional hardware at the base user station. 15 It is therefore not possible to use as a second factor "something that the user possesses" since it would be just something material such as for example a smart card + reader or a USB key or a device. "calculator" capable of generating dynamic passwords or challenge responses. So we think about using a characteristic of the user, so a biometric factor. But in order to be able to capture this characteristic, it is generally necessary to have a device adapted for this purpose, which has been excluded from the scope of the present solution. Yet it remains a characteristic of each user that does not require any device other than those that is endowed any user station: how to enter text on a computer keyboard. The idea is thus in this variant to complete the authentication by PW by a biometric method of this nature and why not by the "Psylock" method developed by IBI, the Institute for Bank Innovation, and by the University of Regensburg, also in Germany.

  It is recalled that this method assumes that the user has registered beforehand by typing typically a page and a half of text, so as to determine his keypad typing profile. This profile would obviously be kept by the server with the other authentication data (or on a dedicated server for this purpose). During an authentication, the user is required to enter a shorter text, of the order of one or two lines of text, which is then sufficient to determine whether or not the registered user is present. . The advantage of this method is that its implementation is not likely to disclose secrets and if we chose a variable text, we can also prevent the reuse of data from a successful authentication.

  On the other hand, reliability may not be sufficient to authenticate a user with this single biometric factor. Hence the natural complementarity, on the one hand, with the basic solution relating to the authentication of the user and, on the other hand, with the extension relating to the validation of online transactions. The recourse to this second authentication factor can be either systematic or modulated according to a certain frequency or according to the stake. Thus, the invention relates to a method of authentication of a user by a server, accessed by a computer network, including the Internet; this method comprises: a first step of recognition, by the user, of the desired server, and a second step of authentication of the user by the server, the method, which involves a password provided by the user , being such that the user is not forced to use a particular device other than a computer network connection terminal, • the first step comprising: -access to the server by a URL address according to the HTTPS protocol with establishment of an SSL or TLS session, the issuance by the server of a request asking the user to authenticate, the activation by the user, after receiving this request, of a trusted application constituting an extension of its browser, - the display, by the trusted application, of a window intended to manage the authentication process, - the request to the user, by the trusted application via the window, of enter the name domain of the server to which it wishes to connect, the checks carried out by the trusted application are as follows: existence of an SSL or TLS session with the server, correspondence of the certificate of the server accessed with the domain name entered, 20 - validity of the certificate, the certificate being considered valid only if issued by a recognized certification authority and if it is neither expired nor revoked, so that the user could verify that it is connected to the desired server, • the second step of the method comprising: - the request, by the application, the entry by the user of his identifier with the server, - the password entry by the user. the user, this input being preferably protected against local spying, the trusted application being such that it does not directly communicate the password to the browser or the server, the trusted application and the server 35 oe a zero-disclosure authentication, on the one hand, that a dynamic secret is shared between the trusted application and the server and that, on the other hand, the authentication of the user by the server is performed at the server. way of this shared secret; so that the authentication of the user by the server is performed minimizing the risk of compromising the password of the user. In one embodiment, between the entry of the identifier and the entry of the password, a greeting is provided by the server containing non-public information related to the relationship between the user and the server, so as to confirm to the user that he is in relation with the desired server. In an embodiment for which, in order to guard against a session spoofing previously opened and for which session, the user has previously authenticated himself, the method uses the shared secret between the trusted application and the server to calculate and add a seal to the data transmitted by the browser to the server, the server rejecting data without a seal or with an incorrect seal. In one embodiment, to validate a transaction during a previously open session: - the server presents the transaction data to the user via the trusted application, - the trusted application collects the user's consent by asking him to enter his password again, the latter being preferably protected against local seizure, the trust application transmits a seal calculated from the transaction data, the password newly seized and the shared secret, the server checking the seal so as to reject the transaction in the absence of seal or with an incorrect seal. In one embodiment, password authentication is enhanced by authentication with a second biometric factor, the second authentication factor of recognizing the user by his or her behavior when entering a text. communicated by the server via the trusted application, so that the second authentication does not require additional device to connect to the user's computer. 10

Claims (5)

  1. A method of authenticating a user by a server, accessed by a computer network, in particular the Internet, this method comprising: a first step of recognition, by the user, of the desired server, and a second step; of user authentication by the server, the method, which involves a password provided by the user, being such that the user is not forced to use a particular device other than a connection terminal to the computer network, • the first step comprising: - access to the server by a URL address according to the HTTPS protocol with establishment of an SSL or TLS session, - the transmission by the server of a request requesting the user to authenticate, - the activation by the user, after receiving this request, a trusted application constituting an extension of his browser, - the display, by the trusted application, a window of managed to manage the authentication process, - the request to the user, by the trust application via the window, to enter the domain name of the server 25 to which he wishes to connect, - the checks carried out by the application are the following: - existence of a session SSL or TLS with the server, 30 - correspondence of the certificate of the server accessed with the domain name entered, - validity of the certificate, the certificate being considered valid only it has been issued by a recognized certification authority and if it has not been expired or revoked, so that the user has been able to verify that it is connected to the desired server, • the second stage of the process comprising: - the request, by the application, the entry by the user of his identifier from the server, - the input of the password by the user, this entry being preferably protected against local espionage, the application of trust being tell e it does not directly communicate the password to the browser or the server, the trusted application and the server implementing a zero-disclosure authentication such, on the one hand, a dynamic secret is shared between the trusted application and the server and that, on the other hand, the authentication of the user by the server is performed by means of this shared secret; so that the authentication of the user by the server is achieved by minimizing the risks of compromising the password of the user.   2. Method according to claim 1, wherein, between the entry of the identifier and the entry of the password, a greeting is provided by the server containing non-public information related to the relationship between the user and the user. the server, so as to confirm to the user that he is in relation with the desired server.   3. Method according to claim 1 or 2 wherein, to guard against a session spoofing previously opened and for which the user has previously authenticated, the method uses the shared secret between the trust application and the server to calculate and add a seal to the data transmitted by the browser to the server, the server rejecting data without a seal or with an incorrect seal.   4. Method according to any one of claims 1 to 3, in which to validate a transaction during a previously open session: the server presents the transaction data to the user via the trusted application; the trusted application collects the consent of the user by asking him to re-enter his password, the latter being preferably protected against local seizure, 10 - the trusted application transmits a seal calculated to from the transaction data, the newly entered password and the shared secret, the server checking the seal so as to reject the transaction in the absence of a seal or with an incorrect seal. 15   5. Method according to one of the preceding claims wherein the password authentication is reinforced by an authentication with a second biometric type factor, the second authentication factor of recognizing the user by his behavior when entering a text communicated by the server via the trusted application, so that the second authentication does not require additional device to connect to the user's computer. 25